An online poker service that deals solely in Bitcoin has issued a mandatory password reset one day after someone published login credentials for more than 42,000 enthusiasts of the card game and digital currency.

An advisory published Thursday by Seals with Clubs warns, "Our database containing user credentials was likely compromised." Left out is any mention of a list of 42,020 hashes posted to a user forum about 24 hours earlier. While the person posting didn't identify the source of the cryptographically salted SHA1 hashes, early rounds of cracking uncovered passwords such as "sealswithclubs", "88seals88", "bitcoin1000000", and "pokerseals". Password security experts almost immediately suspected that they belonged to Seals with Clubs users. Thursday's advisory from the site is probably the closest we'll get to a definite confirmation.

In Wednesday's post, which was made to a paid password recovery forum operated by commercial password cracking software developer InsidePro, the user StacyM attached a database of hashes and offered $20 in Bitcoins for every 1,000 unique hashes that were cracked. Nine minutes later, the first reply came in, claiming to have recovered the first 1,000. One day in, about two-thirds of the list has been cracked. It wouldn't be surprising to see that amount reach 80 percent or higher in the coming days.

On the Seals with Clubs site, operators described themselves this way:

We are a small team of former online poker players that were put out of a job on Black Friday. We provide Texas Hold’em Poker. Player balances are denominated in bitcoins and all cash-ins and cash-outs are done via Bitcoin. No traditional currency is ever used. We choose to remain anonymous. We’ve been building our reputation since August 2011 and we’re committed to bitcoin poker for the long haul.

SHA1... really?

Further Reading

Attacks on weaker MD5 algorithm show how devastating a crack could be.

It's unfortunate Seals with Clubs security engineers chose such a poor algorithm to hash its users' passwords. As Ars has long explained, SHA1, MD5, and for that matter the recently released SHA3 hash functions are ill-suited to passwords. That's true even when those algorithms are used with cryptographic salt, which makes life much harder on crackers by producing a unique hash even when two or more users choose the same password. The reason SHA1 and their ilk should be taboo is that they're extremely fast and require relatively minimal computing resources to convert plaintext into "message digests," which is just another name for hashes. A much better choice would be PBKDF2 or bcrypt, which are algorithms that were designed from the beginning to be much slower and more computationally demanding. It takes crackers with large numbers of hashes orders of magnitude longer to decode the cryptographic symbols. That buys breached websites and end users time to change passwords before the accounts they protect are compromised.

It's safe to assume that virtually all account holders of Seals with Clubs are Bitcoin users. It's also safe to assume that some percentage of Seals with Clubs players reuse their passwords for other sites or services. That means the people holding the spilled hash cache are sitting on a potentially lucrative list of credentials that could unlock accounts holding huge sums of money.

Further Reading

An unknown hacker posted the lists online and asked for help in cracking them.

The InsidePro forums give outsiders a bird's-eye view into the world of password cracking. On almost any day, scores of people post requests for help cracking passwords. More often than not, the requests seem to come from people who forgot their own passwords and want help. But occasionally, InsidePro forums air huge numbers of hashes obtained from hacks on real, often large websites. In June 2012, for instance, someone posted a whopping 8 million hashes. A later analysis showed that about 6.5 million of them belonged to LinkedIn users, and the other 1.5 million came from dating site eHarmony.

In Thursday's advisory, Seals with Clubs said it planned to offer users the ability to log in to accounts using two-factor authentication and only from a limited number of IP addresses. The site should be commended for taking this important step. But users should also demand that the site stop using the outdated SHA1 function to ensure passwords—some percentage of which will inevitably be reused elsewhere—aren't so easy to crack. With a mandatory password reset underway, now is the perfect time.